J. Math. Cryptol. 2020; 14:397–413 Research Article Jung Hee Cheon, Wonhee Cho, Minki Hhan, Jiseung Kim, and Changmin Lee* Algorithms for CRT-variant of Approximate Greatest Common Divisor Problem https://doi.org/10.1515/jmc-2019-0031 Received Jul 15, 2019; accepted Aug 25, 2020 Abstract: The approximate greatest common divisor problem (ACD) and its variants have been used to con- struct many cryptographic primitives. In particular, the variants of the ACD problem based on Chinese remain- der theorem (CRT) are being used in the constructions of a batch fully homomorphic encryption to encrypt multiple messages in one ciphertext. Despite the utility of the CRT-variant scheme, the algorithms that se- cures its security foundation have not been probed well enough. In this paper, we propose two algorithms and the results of experiments in which the proposed algorithms O˜( 훾 ) were used to solve the variant problem. Both algorithms take the same time complexity 2 (η−ρ)2 up to a poly- nomial factor to solve the variant problem for the bit size of samples 훾, secret primes η, and error bound ρ. Our algorithm gives the first parameter condition related to η and 훾 size. From the results of the experiments, it has been proved that the proposed algorithms work well both in theoretical and experimental terms. Keywords: CCK-ACD; Lattice; orthogonal lattice attack; SDA 2020 Mathematics Subject Classification: 11Y16 1 Introduction Howgrave-Graham had defined and studied the approximate greatest common divisor (ACD) problem in [16]. The ACD problem and its variant problems have been used to construct cryptographic schemes such as fully homomorphic encryption (FHE) and cryptographic multilinear map [4, 6, 9, 19]. As the first variant problem, the partial approximate common divisor (PACD) problem was suggested. This variant problem has allowed increasing efficiency of ACD-based homomorphic encryption scheme [7]. As the series of work, in the paper [4], another variant of the ACD problem was introduced to suggest a new FHE scheme, which is called CCK-FHE scheme, over the integers. This scheme utilizes Chinese remainder theorem to encrypt multiple messages in one ciphertext. Informally, for integers 훾, n, η, and ρ such that 훾 ≫ n · η and η ≫ ρ, the 훾-bit ciphertext integer b of this scheme is characterized by satisfying modulo equations b ≡ ri mod pi for 1 ≤ i ≤ n, where ri’s are ρ-bit integers and pi’s are η-bit fixed secret primes. The problem that distinguishes between ciphertexts of CCK-FHE scheme and uniform samples of 훾-bit integer, in Qn which the 훾-bit integer N = i=0 pi is given as the product of secret primes, is called the CCK-ACD. ¹ In case n = 1, the problem is called PACD problem. On the other hand, algorithms to directly solve the CCK-ACD problem have garnered less attention. Gal- braith, Gebregiyorgis and Murphy said that an algorithm to solve the CCK-ACD problem exploiting CRT struc- *Corresponding Author: Changmin Lee: ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), 46 Allée d’Italie, 69007 Lyon, France; Email: [email protected] Jung Hee Cheon: Seoul National University, 1 Gwanak-ro, 08826 Seoul, South Korea; Email: [email protected] Wonhee Cho: Seoul National University, 1 Gwanak-ro, 08826 Seoul, South Korea; Email: [email protected] Minki Hhan: Seoul National University, 1 Gwanak-ro, 08826 Seoul, South Korea; Email: [email protected] Jiseung Kim: Seoul National University, 1 Gwanak-ro, 08826 Seoul, South Korea; Email: [email protected] 1 We give a formal definition of the CCK-ACD problem in Section 2. Open Access. © 2020 J. H. Cheon et al., published by De Gruyter. This work is licensed under the Creative Commons Attribution 4.0 License 398 Ë J. H. Cheon et al. ture is an open problem [13]. In fact, there has been no algorithms for solving the CCK-ACD problem so far except for the method of Chen and Nguyen [3], which depends only on ρ. Instead, in order to provide the evidence of CCK-FHE’s security, authors in [4] suggested a reduction from PACD to CCK-ACD. However, while the current CCK-FHE parameters are set to be secure for the Chen and Nguyen’s attack, the authors in [4] did not use the parameter settings obtained from the reduction for known PACD parameters. Therefore, it is necessary to determine whether the CCK-FHE parameters satisfies the desired security even under the current conditions of η and 훾. In sum, one can naturally pose the following question: Is it possible to present the time complexity for solving CCK-ACD by using a mathematical algorithm that depends on η and 훾? Previous works In order to solve the CCK-ACD problem, several naive methods are suggested. Their main idea was to exploit the feature of the problem that the error terms are relatively small and the product of the secret primes is given. Qn In other words, one can try a brute-force attack to recover a secret prime pi from a multiple N = i=0 pi and an ρ ρ sample of CCK-ACD represented by b = pi · qi + ri for some fixed i, where an integer ri 2 (−2 , 2 ) except i = 0. The method is to compute the greatest common divisor between (GCD) b−a and N for all integers a 2 (−2ρ , 2ρ). It would have time complexity O˜(2ρ), so ρ should be set to Ω(λ) for the security parameter λ. Furthermore, [3] and [7] that were proposed as the variants of exhaustive search to solve (P)ACD in O˜(2ρ/2) time complexity, can be applied to solve the CCK-ACD problem for the feature mentioned previously. In addition, one can also p use the factorization with the elliptic curve method to find a factor of N in 2O˜( η) time complexity, where η is 2 the log-size of pi. Thus, η should be set to Ω(λ ) for the security parameter λ. As another trial to solve CCK-ACD, authors in [14] considered well-known algorithms for solving PACD such as orthogonal lattice attack method (OLA) and simultaneous Diophantine approximation (SDA) [6, 12, 16, 19] in the context of CCK-ACD. The SDA and OLA make use of a lattice reduction algorithm for a specific lattice Qn whose entries consist of the given PACD samples and a multiple N = i=0 pi. If one can obtain a short vector from the lattice by the lattice reduction algorithm, it leads to a solution of the PACD problem which utilizes the coordinates of the vector. Since these algorithms for (P)ACD have time complexity depending on η and 훾, one can expect that the expansion of the algorithms to the CCK-ACD problem will provide answers to the main question. However, if a lattice as similar to SDA and OLA is being constructed to solve CCK-ACD, there exist several short vectors of similar length in the lattice due to the symmetry of pi. Thus if short vector from the lattice by a lattice reduction algorithm is a short linear combination of some of these vectors, one cannot extract information on a certain prime pi from the vector. Independent work Recently, Coron and Pereira [10] proposed an algorithm to solve the multi-prime ACD problem, which is the same as the ‘search’ CCK-ACD problem in this paper. The main idea of the attack is also the same as our SDA- style algorithm that combines the SDA with algebraic steps from the Cheon et al. [5]. In this paper, we also propose another OLA-style algorithm to solve ‘decisional’ CCK-ACD problem using OLA with a new distin- guisher determinant. 1.1 Our Work In this paper, we propose two mathematical algorithms to solve the CCK-ACD problem by extending the OLA and SDA methods that are well-known for solving the ACD problem using lattice technique. Both algorithms (︁ )︁ O 훾 take the same time complexity 2 (η−ρ)2 up to polynomial factors for the bit-size of samples 훾, secret primes η and error ρ. Our algorithms are the first algorithms related to η and 훾 for solving the CCK-ACD problem. Algorithms for CCK-ACD problem Ë 399 Let bj be a CCK-ACD sample of bj ≡ rij mod pi for 1 ≤ j ≤ k and 0 ≤ i ≤ n. Let b and ri be a vector (bj) and (rij), respectively. Technically, the first step of the classical OLA algorithm on input bj is to compute a lattice ? ? ΛN (b), which is a set of orthogonal vectors to b over ZN . Similarly, one can define a lattice Λ (fr0, ··· , rng), which is a set of orthogonal vectors to ri for all i over the integers. Then we have ? ? Λ (fr0, ··· , rng) ⊂ ΛN (b). ? ? It implies that the size of k − n −1 shortest vectors of ΛN (b) is less than that of Λ (fr0, ··· , rng). The classical ? OLA algorithm assumes that the k − n − 1 shortest vectors is a generator of Λ (fr0, ··· , rng). Even more, the algorithm expects that k − n − 1 short vectors become a generator. So finding k − n − 1 short vectors is likely ? to lead us to recover the lattice Λ (fr0, ··· , rng). However, one problem might arise after finding those short vectors. In the case of PACD, (i.e n = 1), the recovered lattice has rank two and kr1k ≪ kr0k. So we can obtain the vector r1 easily. Then, the next step is to recover the secret integer p1 by computing the GCD between bj − rj1 and N = p0 · p1.